COMMAND

    cron(8)/crontab(1)

SYSTEMS AFFECTED

    All  platforms  running  FreeBSD  1.0,  1.1,  2.1.0, 2.1.5, 2.1.6,
    2.1.6.1 and 2.2.
    All platforms running RedHat Linux version 4.0.
    All releases of NetBSD up to and including 1.2.

PROBLEM

    Two unrelated vulnerabilities are known to exist in some  versions
    of the cron package.

    1.  Command line buffer overrun

	Due to  insufficient bounds  checking on  arguments which  are
	supplied by users,  it is possible  to overwrite the  internal
	stack space of the crontab program while it is executing.   By
	supplying  a  carefully  designed  argument  to  the   crontab
	program, intruders  may be  able to  force crontab  to execute
	arbitrary  commands.   As  crontab  is  setuid  root, this may
	allow  intruders   to  run   arbitrary  commands   with   root
	privileges.

    2.  Reading environment buffer overrun

	A similar vulnerability exists in the library routine used to
	load environment variables.  This vulnerable routine is used
	in both cron and crontab.  Due to insufficient bounds
	checking, it may be possible for intruders to manipulate cron
	or crontab into executing arbitrary commands with root
	privileges.

    Both of these vulnerabilities are known to be present in the Vixie
    cron package, up  to and including  version 3.0.   This package is
    installed by default under some versions of Unix.  The Vixie  cron
    package may have  also been installed  as third party  software by
    sites.

	# strings /usr/bin/crontab | grep -i vix

    Sites  which  have  versions  based  on Vixie cron should consider
    themselves  vulnerable.    Exploit  information  involving   these
    vulnerabilities can be found on this page under crontab #2 bug.

SOLUTION

    Remove setuid and non-root execute permissions and check crontab
    files

    For example:

	# ls -l /usr/bin/crontab
	-r-sr-xr-x   1 root     bin    20480 Jun 10  1996 /usr/bin/crontab

	# chmod 500 /usr/bin/crontab
	# ls -l /usr/bin/crontab
	-r-x------   1 root     bin    20480 Jun 10  1996 /usr/bin/crontab

    You may also restrict crontab access.

       # chgrp trusted /usr/bin/crontab
       # chmod 4750 /usr/bin/crontab
       # ls -l /usr/bin/crontab
       -rwsr-x---   1 root    trusted   20480 Jun 10  1996 /usr/bin/crontab